diff options
Diffstat (limited to 'meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch')
-rw-r--r-- | meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch | 158 |
1 files changed, 158 insertions, 0 deletions
diff --git a/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch new file mode 100644 index 0000000000..12ec4e1c17 --- /dev/null +++ b/meta/recipes-bsp/grub/files/CVE-2020-14372_5.patch @@ -0,0 +1,158 @@ +From 1ad728b08ba2a21573e5f81a565114f74ca33988 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas <javierm@redhat.com> +Date: Mon, 28 Sep 2020 20:08:33 +0200 +Subject: [PATCH] efi: Use grub_is_lockdown() instead of hardcoding a disabled + modules list + +Now the GRUB can check if it has been locked down and this can be used to +prevent executing commands that can be utilized to circumvent the UEFI +Secure Boot mechanisms. So, instead of hardcoding a list of modules that +have to be disabled, prevent the usage of commands that can be dangerous. + +This not only allows the commands to be disabled on other platforms, but +also properly separate the concerns. Since the shim_lock verifier logic +should be only about preventing to run untrusted binaries and not about +defining these kind of policies. + +Signed-off-by: Javier Martinez Canillas <javierm@redhat.com> +Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com> + +Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/grub.git/commit/?id=8f73052885892bc0dbc01e297f79d7cf4925e491] +CVE: CVE-2020-14372 +Signed-off-by: Marta Rybczynska <marta.rybczynska@huawei.com> +--- + docs/grub.texi | 10 ++++++++++ + grub-core/commands/i386/wrmsr.c | 5 +++-- + grub-core/commands/iorw.c | 19 ++++++++++--------- + grub-core/commands/memrw.c | 19 ++++++++++--------- + 4 files changed, 33 insertions(+), 20 deletions(-) + +diff --git a/docs/grub.texi b/docs/grub.texi +index 5e6cace..0786427 100644 +--- a/docs/grub.texi ++++ b/docs/grub.texi +@@ -5256,6 +5256,9 @@ only applies to the particular cpu/core/thread that runs the command. + Also, if you specify a reserved or unimplemented MSR address, it will + cause a general protection exception (which is not currently being handled) + and the system will reboot. ++ ++Note: The command is not allowed when lockdown is enforced (@pxref{Lockdown}). ++ This is done to prevent subverting various security mechanisms. + @end deffn + + @node xen_hypervisor +@@ -5758,6 +5761,13 @@ security reasons. All above mentioned requirements are enforced by the + shim_lock module. And itself it is a persistent module which means that + it cannot be unloaded if it was loaded into the memory. + ++All GRUB modules not stored in the @file{core.img}, OS kernels, ACPI tables, ++Device Trees, etc. have to be signed, e.g, using PGP. Additionally, the commands ++that can be used to subvert the UEFI secure boot mechanism, such as @command{iorw} ++and @command{memrw} will not be available when the UEFI secure boot is enabled. ++This is done for security reasons and are enforced by the GRUB Lockdown mechanism ++(@pxref{Lockdown}). ++ + @node Measured Boot + @section Measuring boot components + +diff --git a/grub-core/commands/i386/wrmsr.c b/grub-core/commands/i386/wrmsr.c +index 9c5e510..56a29c2 100644 +--- a/grub-core/commands/i386/wrmsr.c ++++ b/grub-core/commands/i386/wrmsr.c +@@ -24,6 +24,7 @@ + #include <grub/env.h> + #include <grub/command.h> + #include <grub/extcmd.h> ++#include <grub/lockdown.h> + #include <grub/i18n.h> + #include <grub/i386/cpuid.h> + #include <grub/i386/wrmsr.h> +@@ -83,8 +84,8 @@ grub_cmd_msr_write (grub_command_t cmd __attribute__ ((unused)), int argc, char + + GRUB_MOD_INIT(wrmsr) + { +- cmd_write = grub_register_command ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), +- N_("Write a value to a CPU model specific register.")); ++ cmd_write = grub_register_command_lockdown ("wrmsr", grub_cmd_msr_write, N_("ADDR VALUE"), ++ N_("Write a value to a CPU model specific register.")); + } + + GRUB_MOD_FINI(wrmsr) +diff --git a/grub-core/commands/iorw.c b/grub-core/commands/iorw.c +index a0c164e..584baec 100644 +--- a/grub-core/commands/iorw.c ++++ b/grub-core/commands/iorw.c +@@ -23,6 +23,7 @@ + #include <grub/env.h> + #include <grub/cpu/io.h> + #include <grub/i18n.h> ++#include <grub/lockdown.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -131,17 +132,17 @@ GRUB_MOD_INIT(memrw) + N_("PORT"), N_("Read 32-bit value from PORT."), + options); + cmd_write_byte = +- grub_register_command ("outb", grub_cmd_write, +- N_("PORT VALUE [MASK]"), +- N_("Write 8-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outb", grub_cmd_write, ++ N_("PORT VALUE [MASK]"), ++ N_("Write 8-bit VALUE to PORT.")); + cmd_write_word = +- grub_register_command ("outw", grub_cmd_write, +- N_("PORT VALUE [MASK]"), +- N_("Write 16-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outw", grub_cmd_write, ++ N_("PORT VALUE [MASK]"), ++ N_("Write 16-bit VALUE to PORT.")); + cmd_write_dword = +- grub_register_command ("outl", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 32-bit VALUE to PORT.")); ++ grub_register_command_lockdown ("outl", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 32-bit VALUE to PORT.")); + } + + GRUB_MOD_FINI(memrw) +diff --git a/grub-core/commands/memrw.c b/grub-core/commands/memrw.c +index 98769ea..d401a6d 100644 +--- a/grub-core/commands/memrw.c ++++ b/grub-core/commands/memrw.c +@@ -22,6 +22,7 @@ + #include <grub/extcmd.h> + #include <grub/env.h> + #include <grub/i18n.h> ++#include <grub/lockdown.h> + + GRUB_MOD_LICENSE ("GPLv3+"); + +@@ -133,17 +134,17 @@ GRUB_MOD_INIT(memrw) + N_("ADDR"), N_("Read 32-bit value from ADDR."), + options); + cmd_write_byte = +- grub_register_command ("write_byte", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 8-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_byte", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 8-bit VALUE to ADDR.")); + cmd_write_word = +- grub_register_command ("write_word", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 16-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_word", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 16-bit VALUE to ADDR.")); + cmd_write_dword = +- grub_register_command ("write_dword", grub_cmd_write, +- N_("ADDR VALUE [MASK]"), +- N_("Write 32-bit VALUE to ADDR.")); ++ grub_register_command_lockdown ("write_dword", grub_cmd_write, ++ N_("ADDR VALUE [MASK]"), ++ N_("Write 32-bit VALUE to ADDR.")); + } + + GRUB_MOD_FINI(memrw) |